What is the CVSS score of CVE-2025-64525?

CVE-2025-64525 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. EPSS exploitation probability: 1.3%.

Which versions of Astro are affected by CVE-2025-64525?

Organizations using Astro should be aware of notable risk from CVE-2025-64525, a server-side request forgery vulnerability rated CVSS 6.5. Users could be tricked into performing unintended actions.. A patch is available.

Is there a public PoC exploit available for CVE-2025-64525?

Yes, a public proof-of-concept exploit is available for CVE-2025-64525. Prioritise patching immediately. EPSS: 1.3%.

How to fix or mitigate CVE-2025-64525?

Within 7 days: Identify affected systems running Astro and apply vendor patches promptly. Vendor patch is available.

Astro CVE-2025-64525

MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2025-11-13 security-advisories@github.com

SSRF Astro

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:22 vuln.today

Patch released

Mar 28, 2026 - 19:22 nvd

Patch available

PoC Detected

Nov 25, 2025 - 15:14 vuln.today

Public exploit code

CVE Published

Nov 13, 2025 - 16:15 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via x-forwarded-proto), DoS via cache poisoning (if a CDN is present), SSRF (only via x-forwarded-proto), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.

AnalysisAI

Astro is a web framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via x-forwarded-proto), DoS via cache poisoning (if a CDN is present), SSRF (only via x-forwarded-proto), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch. Affected products include: Astro. Version information: Version 5.15.5.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2025-64525 vulnerability details – vuln.today

Back

Astro CVE-2025-64525

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code